You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi there! I had posted this question on the Trellix community forums and was referred to here for an answer to my question. I am hoping that someone will be able to point me in the right direction here.
Right now we are grabbing MVISION EDR cloud logs using this mvision-edr-activity-feed script. The script is currently subscribed to case, case-mgmt-events, threat, and threatEvents. However, we are finding that the information in the events is missing some of the details we are looking for. For example, we might get a threat event that includes the name of the file or process detected as a threat, the location on disk of the file, as well as the hashes. However, we would also like to pull in specific information from the host that this file/process is running on.
For example, in our MVISION EDR cloud portal we see host information like what is highlighted in red here:
We are interested in pulling out some of this information into the activity feed such as some of the DNS activity entries from the host.
Is there a way to modify the script to capture this information, or would we need to pull this information a different way? It wasn't clear to me what all of the different types of feeds are that can be pulled using the script or if this script will even allow us to grab the additional details we are wanting. Any advice on how to accomplish this is greatly appreciated! Thank you for your help!
The text was updated successfully, but these errors were encountered:
Hi there! I had posted this question on the Trellix community forums and was referred to here for an answer to my question. I am hoping that someone will be able to point me in the right direction here.
Right now we are grabbing MVISION EDR cloud logs using this mvision-edr-activity-feed script. The script is currently subscribed to case, case-mgmt-events, threat, and threatEvents. However, we are finding that the information in the events is missing some of the details we are looking for. For example, we might get a threat event that includes the name of the file or process detected as a threat, the location on disk of the file, as well as the hashes. However, we would also like to pull in specific information from the host that this file/process is running on.
For example, in our MVISION EDR cloud portal we see host information like what is highlighted in red here:
We are interested in pulling out some of this information into the activity feed such as some of the DNS activity entries from the host.
Is there a way to modify the script to capture this information, or would we need to pull this information a different way? It wasn't clear to me what all of the different types of feeds are that can be pulled using the script or if this script will even allow us to grab the additional details we are wanting. Any advice on how to accomplish this is greatly appreciated! Thank you for your help!
The text was updated successfully, but these errors were encountered: